Add noexec nodev and nosuid to sandbox /etc/resolv.conf mount bind.#8309
Add noexec nodev and nosuid to sandbox /etc/resolv.conf mount bind.#8309samuelkarp merged 3 commits intocontainerd:mainfrom
Conversation
|
Hi @vinayakankugoyal. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cc @rata |
|
@vinayakankugoyal: GitHub didn't allow me to request PR reviews from the following users: rata. Note that only containerd members and repo collaborators can review this PR, and authors cannot review their own PRs. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@rata - please take a look. |
Signed-off-by: Vinayak Goyal <[email protected]>
vinayakankugoyal
force-pushed
the
fixresolv
branch
from
286077e to
ae4dbb6
Compare
AkihiroSuda
added
cherry-pick/sbserver
area/cri
|
/ok-to-test |
There was a problem hiding this comment.
@vinayakankugoyal I'm not sure this is the right fix.
When I mentioned to add these flags in the runc issue, it was as a debugging step, to gain insight; to make sure that worked on your setup too. Now that we know that works, though, we need to see why that helps in your setup. I guess it might be because the partition we are bind-mounting the files from might be mounted with those flags. But let's continue that conversation on the runc issue.
Also, IIUC this is not enough to make userns work in COS (but you share so little that is really me guessing here, I don't really know what is happening on your setup). I think the proper course of action is to fix that first, then see what we needed to do to make that work and then see what the proper fixes are and on which projects.
For example, if my guess about why these flags are needed in your setup, then we might either want to do the changes here or in runc. There is an open PR to improve the situation in runc just in those cases (see: opencontainers/runc#3710).
So, IMHO, it is a big no to merge this with the information we currently have. As I said, we don't know it will fix your issue (still pods with userns are failing in your setup), we don't know if we want to fix this in runc or containerd, etc. It might be that we decide to merge this code. But we still lack needed information to make this decision, so it seems too soon to open a PR. And maybe we want to mention these reasons in the commit msg, maybe in the code as a comment too. But until we really understand why it fails and your setup, we don't really know what to write either. My gut feeling, also, is that even if we decide to use this workaround, it might not be enough and we might need to change the mounts in the container too, not just the sandbox.
|
Based on what you suggested I was looking at the containerd code to understand why this was not set for |
|
Probably it doesn't hurt to add them (explaining that in the commit msg would have been good). But we don't know so far if those are even needed in your setup, with what we debugged so far we know they are needed to mount a file when we manually modify the config.json to point to a file mounted on a filesystem with those flags. Is that why the original (not manually modified) config.json fails? We don't know yet, we need to check those mount flags in the original source path. Also, even if this does indeed help, I doubt these would be the only changes needed and not sure we want to do them in runc too (besides the link I pasted in my previous comment, it seems crun is also handling that transparently). IMHO it is better to understand your setup, why it fails, and later open PRs making fixes, when we are certain we want those fixes and why. |
|
Please see opencontainers/runc#3770 (comment) Running containerd built from this PR fixed the issue that we were debugging. |
|
/retest |
|
@vinayakankugoyal Do you want to see if this is something simple to test? Maybe an integration test is the simplest, I don't know. So we make sure we don't regress on this. |
|
Added a check that the /etc/resolv.conf mount in in the desired configuration. |
vinayakankugoyal
force-pushed
the
fixresolv
branch
from
c50087e to
7e1d7bd
Compare
Signed-off-by: Vinayak Goyal <[email protected]>
vinayakankugoyal
force-pushed
the
fixresolv
branch
from
7e1d7bd to
990199a
Compare
rata
left a comment
rata
left a comment
There was a problem hiding this comment.
The test also LGTM, thanks!
|
@vinayakankugoyal Do you mind porting this over to |
samuelkarp
added
the
cherry-pick/1.7.x
|
@samuelkarp - Done! Please take another look. |
…unt bind. Signed-off-by: Vinayak Goyal <[email protected]>
vinayakankugoyal
force-pushed
the
fixresolv
branch
from
bf301c2 to
ac84bf7
Compare
|
/test pull-containerd-sandboxed-node-e2e |
fuweid
added
cherry-picked/1.7.x
6 participants
If you are running a pod with user namespace enabled you might see EPERM errors while mounting resolv.conf without these options.
This was discovered while we were debugging: opencontainers/runc#3770